PHPackages                             sansec/composer-integrity-plugin - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. sansec/composer-integrity-plugin

ActiveComposer-plugin[Utility &amp; Helpers](/categories/utility)

sansec/composer-integrity-plugin
================================

0.2.2(7mo ago)5727.2k↓52.9%4[2 issues](https://github.com/sansecio/composer-integrity-plugin/issues)1MITPHPPHP &gt;=8.1

Since Apr 17Pushed 7mo ago2 watchersCompare

[ Source](https://github.com/sansecio/composer-integrity-plugin)[ Packagist](https://packagist.org/packages/sansec/composer-integrity-plugin)[ RSS](/packages/sansec-composer-integrity-plugin/feed)WikiDiscussions main Synced 3d ago

READMEChangelog (3)Dependencies (4)Versions (10)Used By (1)

Composer Integrity Plugin
=========================

[](#composer-integrity-plugin)

Check your installed composer packages against a list of known correct checksums (provided by Sansec).

This plugin calculates a [one-way hash](https://github.com/Cyan4973/xxHash) of:

- composer.json and composer.lock
- package name and package versions
- file contents of the installed packages (checksum)

These hashes are then tested against a larger database hosted at Sansec. The use of one-way hashing provides a secure way to test your setup, without sharing file contents with a third party. The Sansec API does not store your hashes.

[![image](https://user-images.githubusercontent.com/1145479/233590606-824ae163-19a1-4871-9387-5ce402634150.png)](https://user-images.githubusercontent.com/1145479/233590606-824ae163-19a1-4871-9387-5ce402634150.png)

Installation &amp; Usage
------------------------

[](#installation--usage)

Composer Plugin
---------------

[](#composer-plugin)

```
composer require sansec/composer-integrity-plugin
```

You can then run it:

```
composer integrity
```

PHAR
----

[](#phar)

Head over to the [releases](https://github.com/sansecio/composer-integrity-plugin/releases) page and download the latest PHAR.

You can then run it:

```
php composer-integrity.phar
```

Configuration
-------------

[](#configuration)

Both the plugin as well as the PHAR take the following optional options:

- `--skip-match`: shows only non-matching checksums
- `--json`: output is in json format instead of a table

Why did we make this?
=====================

[](#why-did-we-make-this)

Sansec specializes in forensic investigations of breached Magento stores. We noticed an increase of cases where malware was hidden in legitimate libraries under `vendor`. Most package managers provide some sort of integrity check for installed software, but composer does not. So, we made this plugin in order to quickly verify the integrity of an installation.

Alternatively, you could clone the composer files, recreate vendor and run a diff against your installation. But this takes much more time and original dependencies are not always available on production servers.

Caveats
=======

[](#caveats)

The plugin does not consider patches, such as those applied through [composer-patches](https://github.com/cweagans/composer-patches), via a `post-install-cmd` composer script, or editing in `vendor` outright.

In such instances, it is the user's responsibility to assess the situation and take appropriate action.

License
-------

[](#license)

[MIT License](./LICENSE) - Copyright (c) 2023 Sansec

###  Health Score

46

—

FairBetter than 92% of packages

Maintenance64

Regular maintenance activity

Popularity40

Moderate usage in the ecosystem

Community20

Small or concentrated contributor base

Maturity50

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 78.6% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~120 days

Recently: every ~238 days

Total

9

Last Release

214d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/743661?v=4)[Daniel Sloof](/maintainers/danslo)[@danslo](https://github.com/danslo)

---

Top Contributors

[![danslo](https://avatars.githubusercontent.com/u/743661?v=4)](https://github.com/danslo "danslo (55 commits)")[![peterjaap](https://avatars.githubusercontent.com/u/431360?v=4)](https://github.com/peterjaap "peterjaap (7 commits)")[![gwillem](https://avatars.githubusercontent.com/u/1145479?v=4)](https://github.com/gwillem "gwillem (4 commits)")[![fredden](https://avatars.githubusercontent.com/u/334786?v=4)](https://github.com/fredden "fredden (2 commits)")[![sprankhub](https://avatars.githubusercontent.com/u/930199?v=4)](https://github.com/sprankhub "sprankhub (1 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (1 commits)")

### Embed Badge

![Health badge](/badges/sansec-composer-integrity-plugin/health.svg)

```
[![Health](https://phpackages.com/badges/sansec-composer-integrity-plugin/health.svg)](https://phpackages.com/packages/sansec-composer-integrity-plugin)
```

###  Alternatives

[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[neuron-core/neuron-ai

The PHP Agentic Framework.

2.0k656.1k38](/packages/neuron-core-neuron-ai)[spatie/laravel-export

Create a static site bundle from a Laravel app

674146.0k6](/packages/spatie-laravel-export)[drupal/core-project-message

Adds a message after Composer installation.

2124.7M202](/packages/drupal-core-project-message)[oat-sa/tao-core

TAO core extension

66143.7k124](/packages/oat-sa-tao-core)[infinum/eightshift-libs

WordPress libs developed by Eightshift team to use in modern WordPress.

63125.5k3](/packages/infinum-eightshift-libs)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
